Contenu connexe
Similaire à GovCert.NL - The Monkey Steals The Berries
Similaire à GovCert.NL - The Monkey Steals The Berries (20)
Plus de Tyler Shields (20)
GovCert.NL - The Monkey Steals The Berries
- 3. Agenda
Background
Attacker Motivation
Case Studies
Mobile Security Mechanisms
Potential Effects and Behaviors
Detecting Malicious Mobile Applications
Demonstration
Conclusion
© 2010 Veracode, Inc. 3
- 5. Malicious Mobile Applications
Modifications to legit programs
Developer created
Intentional
Inadvertent
Any programming language
Any operating system
© 2010 Veracode, Inc. 5
- 7. Attacker Motivation
Practical method of compromise
Retrieve or manipulate valuable private data
Cost effective and reliable
© 2010 Veracode, Inc. 7
- 8. Units Sold By Operating System
90,000.00
80,879
80,000.00
72,934
70,000.00
60,000.00
Units Sold
50,000.00
40,000.00 34,347 2008 Units
2009 Units
30,000.00 24,890
23,149
20,000.00 16,498
11,418 10,622
10,000.00 15,028 6,798
1,193 4,027
8,127 641 0 1,112
0.00
Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs
Motion Windows
Mobile
Data Source: DISTMO Appstore Analytics
Operating System www.appstore.info
© 2010 Veracode, Inc. 8
- 9. Units Sold Market Growth
8%
6%
6%
Percentage Growth in Market Share
4% 3% 3%
2%
0%
0%
Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs 0%
Motion Windows
Mobile
-2%
-2%
-3% -3%
-4%
-6% -6%
Operating System
Data Source: DISTMO Appstore Analytics
www.appstore.info
© 2010 Veracode, Inc. 9
- 10. Application Counts
160,000 150,998
140,000
120,000
Number Of Applications In Store
Last Counted Jan/Feb 2010
100,000
80,000
60,000
40,000
19,897
20,000
6118 5291
1452 944
0
iPhone App Store Android Nokia Ovi Store Blackberry App Palm App Catalog Windows
Marketplace (Maemo) World Marketplace
Data Source: DISTMO Appstore Analytics
Marketplace Name www.appstore.info
© 2010 Veracode, Inc. 10
- 11. iPhone Applications Sold
3.00
Applications Sold (In Billions)
2.50
2.00
1.50
1.00
0.50
0.00
Data Source: Gartner, Inc., a research and advisory firm
© 2010 Veracode, Inc. 11
- 16. FlexiSpy Web Site Quotes
“Download FlexiSPY spyphone software directly onto a mobile
phone and receive copies of SMS, Call Logs, Emails, Locations and
listen to conversations within minutes of purchase. “
“Catch cheating wives or cheating husbands, stop employee
espionage, protect children, make automatic backups, bug meetings
rooms etc.”
“F Secure seem to think that its ok for them to interfere with
legitimate, legal and accountable software. Who appointed them
judge, jury and executioner anyway, and why wont they answer our
emails, so we have to ask who is the real malware? Here is how to
remove FSecure malware from your device. Please don't believe the
fsecure fear mongers who simply wish you to buy their products.”
© 2010 Veracode, Inc. 16
- 18. Mobile Spy Web Site Quotes
“This high-tech spy software will allow you to see exactly what they
do while you are away. Are your kids texting while driving or using
the phone in all hours of the night? Are your employees sending
company secrets? Do they erase their phone logs?”
“Our software is not for use on a phone you do not own or have
proper permission to monitor from the user or owner. You must
always follow all applicable laws and regulations in your region.”
“Purchased by more than 30,000 customers in over 150 countries”
© 2010 Veracode, Inc. 18
- 20. Etisalat (SS8)
UAE cellular carrier
Distribution: SMS link to patch
Command & Control: BB PIN
Hidden on device
Data stolen: Email, SMS
© 2010 Veracode, Inc. 20
- 21. Storm8 Phone Number Farming
iPhone video game maker
Built into game
Distribution: iTunes
Command & Control: None
Hidden within application
Data stolen: Phone Number
© 2010 Veracode, Inc. 21
- 22. Symbian Sexy Space
No real facade
Botnet for Symbian phone
Distribution: Malicious web sites
Worm: SPAM contacts
Data stolen: Phone number, network
information
Signed by Symbian as safe!
– Anti-virus scan
– Some manual assessment
© 2010 Veracode, Inc. 22
- 23. 09Droid – Banking Applications Attack
09Droid developer
Web frontends to 50+ banks
Distribution: Android Marketplace
Data stolen: Unknown – likely none
Multiple bank fraud warnings released
© 2010 Veracode, Inc. 23
- 24. 3D Anti-Terrorist / PDA Poker Art / Codec Pack WM1.0
Original author: Huike
Repackaged in Russia
Built into game
Distribution: WM shareware
web sites
Command & Control: None
Data stolen: Money!
© 2010 Veracode, Inc. 24
- 26. Does It Really Matter?!
Only 23% of smartphone owners use the security software
installed on the devices.
(Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009)
13% of organizations currently protect from mobile viruses
(Mobile Security 2009 Survey by Goode Intelligence)
© 2010 Veracode, Inc. 26
- 27. Common Mobile Security Mechanisms
Corporate level security policies
Application level security policies
Mobile anti-virus
Application marketplace screening
Code Signing
© 2010 Veracode, Inc. 27
- 28. V5.0.0.328 Trusted 3rd Party Application Permissions
Bluetooth Phone
USB Connections Location Data
Connections Connections
Server Network Internet IPC Device Settings
Application
Media Themes Input Simulation
Management
Security Timer Display Information
Browser Filtering Recording
Reset While Locked
Email Data Organizer Data Files Security Data
© 2010 Veracode, Inc. 28
- 29. V5.0.0.328 Untrusted 3rd Party Application Permissions
Bluetooth Phone
USB Connections Location Data
Connections Connections
Server Network Internet IPC Device Settings
Application
Media Themes Input Simulation
Management
Security Timer Display Information
Browser Filtering Recording
Reset While Locked
Email Data Organizer Data Files Security Data
© 2010 Veracode, Inc. 29
- 31. Installation Methods
Application Marketplace Over The Air (OTA)
•iTunes
•Android •Web Sites
Marketplace •Carrier
•Blackberry Pushed
App World
Enterprise Distribution PC Loader
•User Desktop
•Mass Push
Distribution
•With/Without
•Corporate Assitance
Targets
•Virus
© 2010 Veracode, Inc. 31
- 33. Logging and Dumping
Monitor connected / disconnected calls
Monitor PIM added / removed / updated
Monitor inbound SMS
Monitor outbound SMS
Real Time track GPS coordinates
Dump all contacts
Dump current location
Dump phone logs
Dump email
Dump microphone capture (security prompted)
© 2010 Veracode, Inc. 33
- 34. Exfiltration and C&C Methods
SMS (No CDMA)
SMS Datagrams (Supports CDMA)
Email
HTTP GET
HTTP POST
TCP Socket
UDP Socket
DNS Exfiltration
Default command and control to inbound SMS
TXSPROTO Bidirectional TCP based command and control
© 2010 Veracode, Inc. 34
- 36. Detecting Malicious Mobile Code
Signature Based Detection
– Broken
Resource Usage Whitelisting
– Semi-broken
Sandbox Based Execution Heuristics
– Semi-broken
Static Decompilation and Analysis
– Hard to do, but WORKS!
© 2010 Veracode, Inc. 36
- 38. Defense in Depth
Do all of the above!
Implement and enforce strong IT policies
Implement and enforce additional application policies as required
Implement a best of breed anti-virus solution
– If only for thoroughness of deployed options
Utilize static decompilation and analysis of applications considered
for deployment
© 2010 Veracode, Inc. 38
- 40. Conclusion
We are currently trusting the vendor application store provider for the
majority of our mobile device security
Minimal methods of real time eradication or detection of spyware
type activities exists
When the do exist they are not configured correctly (or at all)
No easy/automated way to confirm for ourselves what the
applications are actually doing
Automate the decompilation and static analysis of applications that
are required for the ongoing functioning of your business
© 2010 Veracode, Inc. 40